Parity multi-signature wallets created since July break, affecting 1M ETH.

Digital currencies and the wallets that hold them have become an increasingly attractive target for digital pickpockets, resulting in millions of real dollars' worth of lost currency. A $50 million heist of Ethereum currency last year exploiting weaknesses in the cryptocurrency's underlying software threatened to break the Bitcoin competitor. But a new security bug in a popular Ethereum wallet platform has caused what amounts to a bank freeze on scores of high-value wallets. Today, Parity Technologies Ltd., the developer of cryptographic "wallets" for the digital currencies Bitcoin and Ethereum, announced that an "accidental" triggering of a bug affecting certain Parity wallets had broken them, making it impossible to transfer Ethereum funds out of them.

Further Reading

As a result, 1 million ETH have become frozen in wallets—roughly $280 million (US) worth of digital currency. Of that, about $90 million belongs to Parity founder and former Ethereum core developer Gavin Woods' Initial Coin Offering (ICO) Polkadot, according to Tuur Demeester, editor in chief at Adamant Research.

The bug specifically affects multi-signature wallets created with a digital contract after July 20. Multi-signature wallets have cryptographic security measures that require multiple users to sign a transaction in order for it to be processed and approved—an approach that allows for escrow contracts to control payments from accounts belonging to a group.

By calling a function from within Parity's wallet library, a wallet owner could turn a normal single-owner wallet created with Parity's wallet contract library code into a multi-signature wallet and take over ownership of it. That bug in the code would allow someone to kill contracts between any created with the most recent Parity code library—and that is exactly what happened. Someone managed to invoke the code as part of a wallet and made themselves part of every multi-signature contract created since the bug was introduced into the code. The user then "suicided" the wallet and, in the process, disabled all the multi-signature contracts that had been created since July 20 by making them "suicide" as well.

It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.

Parity is still investigating how to correct the problem.

The individual who triggered the lockdown claims to be new to Ethereum and expressed concern about what would happen to him in a forum:

Security researcher Andrea Shepard compared the impact to what happened when a popular Node.js library was pulled from the npm registry, breaking thousands of Web applications in the process.

"It's literally leftpad all over again," she tweeted, "but with large amounts of money."

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat